Authorization elements in web.config

[Chris Leffer]

Hi.

I would like to confirm a behaviour in the authorization element from
the web.config file. Suppose the following (using Forms authentication):

<authorization>
<deny users="?" />
<deny users="User1" />
<allow users="User1" />
</authorization>

When I try to logon as the User1, I am not redirected to my default
page. But if I change the elements to:

<authorization>
<deny users="?" />
<allow users="User1" />
<deny users="User1" />
</authorization>

I am redirected. It leads me to imagine that there is not some
precedence between the allow and deny tags, so the user will be allowed
or denied to access based on the configuration that first appears. Is it
right?


If using windows authentication, suppose the User1 is in the Admins role
and the configuration is:


<authorization>
<allow roles="Admins" />
<deny users="User1" />
</authorization>

Will the user be denied or allowed to access the site resources?


Regards,
Chris Leffer

 

[Cowboy \(Gregory A. Beamer\)]

I would assume the user would be denied, as you expressly denied the user.
In the first examples, you have the same user name twice, which means you
have a conflict.

Now, as to the reason the first "wins". It is most likely the way XML config
files are parsed, which, I believe, is in reverse order. As such, the deny,
in the first example, overrides your allow and visa versa in the second.
Someone can correct me on this if I am wrong. I know this is the way many
files were parsed in the not so distant past, so it makes sense, looking at
your example.

I have not tested my assumption, so a good test is in order. If someone has
already tested this, please post. Confirmations are always good things.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

**********************************************************************
Think Outside the Box!
**********************************************************************